Home
TrafMeter Web Online Help
TrafMeter
What is TrafMeter?
License Agreement
TrafMeter Editions
Registration Info
How To Contact Us
Description
System requirements
Introduction
Installation Package
Installation Guide
Opening the configuration
Selecting NIC
Capturing the traffic
TrafMeter Service Monitor
User authentication
Sending SMS
NAT
Traffic Shaper
Viewing the Traffic Counters
Processing the captured packet
Logging the Application Events
Logging the denied packets
Firewall
Zeroing counters
Users
Filter Manager
Filter Editor
Rule Editor
IP Address Groups
Database Connection String
XML Traffic Reports
Using XSL formatting
The example of XSL formatting
The example of XSL formatting (2)
Traffic Logging into the Database
Database table
Packet Logging
Into the plaintext file
Filename template
Into the database
Database Table
Microsoft SQL Server Syntax
MySQL Server Syntax
Microsoft Access Syntax
Useful SQL scripts
Host Header Logging
Into the plaintext file
Into the database
Database Table
Microsoft SQL Server Syntax
MySQL Server Syntax
Microsoft Access Syntax
Result Codes
Counting VPN packests
Table for storing Filter Names
Registry Settings
FAQ
TrafMeter FAQ
Traffic counting with TrafMeter FAQ
Configuration examples
Example 1
Example 2
Example 3
Example 4
Example 5
Example 6
Example 7
Example 8
Knowledge base
IP protocol number
Type Of Service (ToS) field
MAC address
Promiscuous mode
Ethernet hub
Ethernet switch
Ethernet
NAT router
HOWTO: Creating an OLE DB Connection String for Microsoft SQL Server
HOWTO: Creating an OLE DB Connection String for an Access
HOWTO: Creating an OLE DB Connection String for MySQL
Manual editing of the XML files
Zeroing counters using TrafReset
How to enable
Reloading the Filterset

Traffic counting with TrafMeter FAQ
 

Q: I installed TrafMeter on NAT router to do the Internet traffic accounting of users from my office network. I created the filter with the rule "A specific IP address - IP addresses of WAN" with "Both direction" flag enabled. I filled out the LAT, selected for capturing the network adapter. After starting the capture, I noticed that sent bytes counter doesn't work although received bytes counter works perfect. How to resolve this problem?

A: You should use Active Capture Mode for capturing the traffic on NAT routers.

Q: What is the technique of calculating the length of an IP packet in TrafMeter?

A: Every IP packet has a field in the header named "Total length". It contains the number of bytes in the entire packet, including the header. TrafMeter uses only the value obtained in this field to calculate the length of IP packet.

Q: I have created a filter with the rule from "Any address" to "Any address" with a mirrored flag enabled. The "sent bytes" cell displays a number that is very closely to the captured traffic but the "received bytes" cell shows zero. Incoming traffic isn't counted. What's wrong?

A: You can't split the traffic (sent & received) in the rule "from Any to Any". Imagine that you stand at the side of a two-way road and you see car traffic. What cars are incoming and what cars are outgoing? You can't answer because you need to get a reference point. Let's decide, the cars to the city "A" are inbound traffic and the cars to the city "B" are outgoing traffic.

Q: I have created a filter with the rule from "My computer" to "Any address" which only takes the ICMP packets into account. If I ping any host in my LAN, the counters will be increased normally. When I try to ping a nonexistent host in LAN, the counters will not be updated. What is wrong?

If you try to ping any host in LAN, ARP-request will be sent first to obtain a MAC address of pinged host. If your computer doesn't receive the ARP-response (because the pinged host doesn't exist), the ICMP packets will not be sent. Therefore, the counters of the ICMP filter will not be updated.

Q: I have a connection to Internet via a DSL modem plugged into an Ethernet hub and want to monitor traffic between my PC and the Internet. My PC has the IP address 192.168.1.2 and DSL modem has the IP address 192.168.1.1. I have created a TrafMeter filter with a rule "192.168.1.2 as source address" and "192.168.1.1 as destination address". I start capturing the traffic but all counters show zero. What's wrong?

A: You measure the traffic between your PC and your DSL modem. This is your mistake. Packets transmitted from your PC to the Internet don't have the IP address of your DSL modem as the destination. First, fill in a Local Address Table (LAT) with all addresses of your network (e.g., from 192.168.1.1 to 192.168.1.255). Second, create the filter with the rule "192.168.1.2 as source address" and "IP addresses of WAN as destination address".

Q: I use TrafMeter on my Internet gateway running web-caching proxy server SquidNT. All clients from my office network use proxy. TrafMeter counts successfully the traffic between clients and proxy server port but I want to not count the traffic of requests serving from cache. What should I do?

A: Unfortunately, you can't do that. TrafMeter reads raw network packets. These packets don't contain information whether that request was served directly or from cache.

Q: How to measure FTP traffic ?

A: FTP is an acronym that stands for "File Transfer Protocol". FTP is used for transferring files over the Internet. There are 2 types of FTP connections, Active FTP and Passive FTP. The rules that you will require to count FTP are dependant on which mode of FTP you are using. The default behavior for most browsers is to use Passive FTP, while for most FTP Client programs (i.e. CuteFTP, Internet Neighborhood, WS-FTP) it is Active.
 
FTP consists of 2 unique connections between the client machine and the FTP server. One is called the "control" connection. This handles the user connecting to and logging into the FTP server. Once the user is logged in, the "data" connection is established to permit the listing of files in a directory, and allow for files to be uploaded or downloaded.
 
The "control" connection is the same for both Passive and Active FTP. The client makes the initial TCP connection from their temporary range of ports (i.e. any available port higher than 1023) to the server’s port 21 and says "Hi! I want to connect with you. Here is my user name and password". What happens next depends on whether Active or Passive mode is being used.
 
In Active mode, when the client says "Hi!" and logs in, they also tell the server a port number (again, somewhere in the temporary range) to use to connect back to them on to make the data connection. The FTP server logs the user in and then connects back to them from the server’s port 20 to the port that was given to open the data connection.
 
In Passive mode, after the client says "Hi!" and logs in, the FTP server logs them in, then tells the client what port to connect to the server on to make the data connection (this will be a port in the temporary range, 1024+). The client receives that information, then connects back from a temporary port to the FTP server on the port they were instructed to use, to open the data connection.
 
The major difference between Active and Passive mode FTP is which side is opening the data connection. In Active mode, the client machine needs to accept a data connection originating from the FTP server. In Passive mode, the client machine is always the one originating the connection.
 
Active Mode Example:
[1] Control Connection: Client port 1026 -> Server port 21
[2] Data Connection: Client port 1027 <- Server port 20
 
Passive Mode Example:
[1] Control Connection: Client port 1026 -> Server port 21
[2] Data Connection: Client port 1027 -> Server port 2065
 
We hope, that this information will help to create rules to count FTP traffic. BTW, TrafMeter can analyze the control connection, extract port numbers for the data connection and create dynamic rules (regardless of Active or Passive mode FTP) to count data transferred over data connection. To do this, you should create a rule with enabled "FTP option".

 
This HTML Help has been published using the chm2web software.